Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m creating a multiplayer game(based in websockets) which runs directly from t

ID: 657895 • Letter: I

Question

I'm creating a multiplayer game(based in websockets) which runs directly from the browser and which has multiplayer functionality. Each player needs to have his own account(Username and password). When I was planning the game, I realized that the easiest way to migrate it to other platforms is writing it in HTML5. So, I need to create a login system using JS and websockets. But I'm not sure of how secure is to send a message with a content like username and password to the websocket server(which runs in a Java virtual machine).
What's the best way to authenticate an user using a websocket?

Explanation / Answer

If you want security, transmitting authentication data through TLS is a big start. But let's assume the websocket is already set up over TLS. A solution I would recommend would be based on a challenge-response mecanism :

1. The server would set up a random set of bytes (the challenge), set a timeout at the end of which the challenge wouldn't be authorized.
2. The client would send in "plain text" the username and the challenge and an hash (with a SHA2 or SHA3 algorithm) of challenge || username || f(password), f(password) being how the password is stored in the database (a SHA256 of password for instance
3. The server verifies with the username's data and the challenge the response and if so, authenticates the user. It also invalidates the challenge to invalidate any future attempt using this challenge

This method provides an anti-replay fonctionnality : an attacker could not capure the data and replay it later to authenticate.

I however have one big problem with this method : f(password) has here the roughly same security as password : if the database leaks, any attacker could authenticate as anybody else. I say "roughly" because, if stored in clear text, since a lot of users are using the same password on multiple websites (which is bad), their accounts could be compromised elsewhere.

I can't think of a method protecting against a database leakage and an anti-replay mechanism, but an anti-database leakage mechanism (send user password in clear text over TLS, hash password with database salt and compare with database) over TLS should be sufficient enough against most risks you will face

Related Questions

I\'m confused about the actual percentages not the rest. Thanks in advance. (c)
Question #3238104
I\'m confused about the actual percentages not the rest. Thanks in advance. (c)
Question #3252832
I\'m confused about the meaning of basolateral vs. apical sides ofcell membranes
Question #4790
I\'m confused about the relationship between the pKas, the pH, the pI, and the n
Question #864108
I\'m confused about this code and why this is not compling. the output and input
Question #670685
I\'m confused about what this program is actually doing, I know that the output
Question #3839352
I\'m confused as to how I justify this. Please explain your answer in depth. Tha
Question #2847586
I\'m confused as to why the maximum value is six and not five. Am I supposed to
Question #2843695
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'m creating a minesweeper game in Java, this piece of code counts the number o
Next
I\'m creating a program (in C++) that will password protects its user\'s databas

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.